Security experts in South Korea have discovered a new wave of activity from the Kimsuky threat actors, which includes the use of commodity open-source remote access tools delivered with their tailored malware, Gold Dragon.
What Is Kimsuky?
Kimsuky (also known as Velvet Chollima, Thallium, or TA406) is a state-sponsored cybercrime organization based in North Korea that has been active in cyber-espionage operations since 2017. However, the group has been around since 2012.
This hacking organization conducts espionage campaigns against South Korean think tanks, nuclear power companies, and the Ministry of Unification, an executive department of the South Korean government responsible for working towards the reunification of Korea.
The group has shown remarkable operational adaptability and threat activity diversity, partaking in:
According to experts at ASEC (AhnLab), in the latest operation, Kimsuky employs xRAT in cyberattacks against South Korean organizations. The campaign began on January 24, 2022, and is still in progress.
What Is xRAT?
xRAT is a free open-source remote access and administration tool that can be found for free on GitHub. Keylogging, remote shell, file manager actions, reverse HTTPS proxy, AES-128 communication, and automated social engineering are among the features of the malware.
A more experienced cybercriminal may opt